Linux Admin Reference – SUDO Configuration in RedHat Enterprise Linux

Other Learning Articles that you may like to read
Free Courses We Offer
Paid Training Courses we Offer
Sudo is different from the su command and is more flexible and more secure. The sudo command allows users to do tasks on a Red Hat Enterprise Linux system as another user. One significant advantage is that it can log usage. By default the program saves log data in the file /var/log/secure.
The sudo program uses a configuration file /etc/sudoers to store rules that are used to decide whether a command is allowed or not. It is recommended that a program visudo provided by the sudo package be used to edit the /etc/sudoers file.
Configuring SUDO to allow normal users to use Root Commands
A special group ‘wheel’ exists on a Red Hat Enterprise Linux system that is traditionally used for privileged activity. Add to the user the supplementary group ‘wheel’ (this command must be done as root):
# usermod -aG wheel normaluser
Verify that the user is now a member of the group wheel:
# groups normaluser
normaluser : normaluser wheel
Edit the file /etc/sudoers using the visudo command:
# sudoers file.
#
# This file MUST be edited with the ‘visudo’ command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# Defaults specification
# User privilege specification
root ALL=(ALL) ALL
# Uncomment to allow people in group wheel to run all commands
# %wheel ALL=(ALL) ALL
# Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
Notice that the /etc/sudoers file has examples and comments. To allow members of the group ‘wheel’ to run commands through sudo as root, uncomment the line:
…
# Uncomment to allow people in group wheel to run all commands
%wheel ALL=(ALL) ALL
…
Now run the privileged commands again as normaluser:
$ sudo /sbin/service sendmail restart
Password:
Shutting down sendmail: [ OK ]
Shutting down sm-client: [ OK ]
Starting sendmail: [ OK ]
Starting sm-client: [ OK ]
The /var/log/secure file will also record the successfull use of sudo:
# tail /var/log/secure
…
Aug 2 15:05:49 somehost sudo: normaluser : TTY=pts/2 ;
PWD=/home/normaluser ; USER=root ;
COMMAND=/sbin/service sendmail restart
Configuring SUDO permission to a normal user for a Specific Set of Commands
Create a common group called “privusers” . Then add the group “privusers” as the secondary group for the username you want to act as sudo user
# groupadd privusers
# useradd -G privusers user1
Please check/confirm that user name and groups are assigned properly. For example
# cat /etc/passwd | grep user1
user1:x:501:501::/home/user1:/bin/bash
# cat /etc/group | grep user1
privusers:x:500:user1
user1:x:501:
Now, execute the command visudo on command line.
# visudo
Created an alias PRIVUSERS , then added the sudo user name. This will give you the flexibility to add more names in future .
User_Alias PRIVUSERS = user1
Created another alias PRIVSERVICES , so that the same alias can refer more than one commands based on requirement.
Cmnd_Alias PRIVSERVICES = /sbin/fdisk
Assign the alias to sudo groups by
%privusers ALL = PRIVSERVICES
Save , exit from visudo. Login as sudo user, then check the commands
$ sudo /sbin/fdisk -l
Password: <=== Password of user1Disk /dev/hda: 5242 MB, 5242880000 bytes
255 heads, 63 sectors/track, 637 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytesDevice Boot Start End Blocks Id System
/dev/hda1 * 1 13 104391 83 Linux
/dev/hda2 14 637 5012280 8e Linux LVM
Note: user “user1” can’t run any command which is not mentioned in command alias .$ sudo /bin/su
Sorry, user user1 is not allowed to execute ‘/bin/su’ as root on <hostname>
Configuring Sudo access to a user to “su” ( to root) without a password prompt
To use sudo with su to login as another user without requiring a password, add the following to /etc/sudoers:
(root@localhost~)# visudo
user1 ALL=NOPASSWD: /bin/su – user2
Now try to login using below command, which should not prompt for password:
(user1@localhost~)$ sudo su – user2
Need info for LVM reduce